As an authenticated JMAP user, I can prentend to be someone else in the mails I send

Scenario :

Bob and Alice are together an happy couple. William is jaleaous of this. He decides to send a mail to Alice, with Bob identity to tell her Bob decided to brake up.

To do this, Bob proceide a JMAP post on setMessages endpoint on outbox. He then uses bob address in the from field.

Alice will receive a mail from bob saying they broke up. And she will believe it, cry all the night and meet William.

Code snipsets : failing test :

```
@Test
public void test() throws Exception {
jmapServer.serverProbe().createMailbox(MailboxConstants.USER_NAMESPACE, username, "sent");
jmapServer.serverProbe().addUser("bob@domain.tld", "1234");
jmapServer.serverProbe().addUser("alice@domain.tld", "1234");

String requestBody = "[" +
" [" +
" \"setMessages\","+
" {" +
" \"create\": { \"user|inbox|1\" : {" +
" \"from\":

{ \"email\": \"bob@domain.tld\"}

," +
" \"to\": [

{ \"name\": \"Alice\", \"email\": \"alice@domain.tld\"}

]," +
" \"cc\": [

{ \"name\": \"ALICE\"}

]," +
" \"subject\": \"Alice, I break up with you !\"," +
" \"textBody\": \"In this mail username@domain.tld pretends to be user1@domain.tld, and takes advantage of it\"," +
" \"mailboxIds\": [\"" + getOutboxId() + "\"]" +
" }}" +
" }," +
" \"#0\"" +
" ]" +
"]";

// Given
given()
.accept(ContentType.JSON)
.contentType(ContentType.JSON)
.header("Authorization", accessToken.serialize())
.body(requestBody)
// When
.when()
.post("/jmap")
.prettyPeek();

// Then
AccessToken user2AccessToken = accessToken = JmapAuthentication.authenticateJamesUser("alice@domain.tld", "1234");

Thread.sleep(10000);

with()
.accept(ContentType.JSON)
.contentType(ContentType.JSON)
.header("Authorization", user2AccessToken.serialize())
.body("[[\"getMessageList\",

{\"fetchMessages\":true, \"fetchMessageProperties\":[\"from\", \"subject\", \"textBody\"]}

, \"#0\"]]")
.when()
.post("/jmap")
.prettyPeek();
}
```

Jmap responses :

William :

```
[
[
"messagesSet",
{
"accountId": null,
"oldState": null,
"newState": null,
"created": {
"user|inbox|1": {
"id": "username@domain.tld|outbox|1",
"blobId": "1",
"threadId": "username@domain.tld|outbox|1",
"mailboxIds": [
"cf265170-1299-11e6-9382-c5a352d114a2"
],
"inReplyToMessageId": null,
"isUnread": false,
"isFlagged": false,
"isAnswered": false,
"isDraft": false,
"hasAttachment": false,
"headers":

{ "cc": " ", "date": "Thu, 5 May 2016 15:17:29 +0700", "bcc": " ", "sender": "bob@domain.tld", "subject": "Alice, I break up with you !", "message-id": "user|inbox|1", "from": "bob@domain.tld", "to": "Alice <alice@domain.tld>", "reply-to": " " }

,
"from":

{ "name": "bob@domain.tld", "email": "bob@domain.tld" }

,
"to": [

{ "name": "Alice", "email": "alice@domain.tld" }

],
"cc": [

],
"bcc": [

],
"replyTo": [

],
"subject": "Alice, I break up with you !",
"date": "2016-05-05T08:17:29.974Z",
"size": 297,
"preview": "In this mail username@domain.tld pretends to be user1@domain.tld, and takes advantage of it",
"textBody": "In this mail username@domain.tld pretends to be user1@domain.tld, and takes advantage of it",
"htmlBody": null,
"attachments": [

],
"attachedMessages": {

}
}
},
"updated": [

],
"destroyed": [

],
"notCreated": {

},
"notUpdated": {

},
"notDestroyed": {

}
},
"#0"
]
]
```

Alice :

```
[
[
"messageList",

{ "accountId": null, "filter": null, "sort": [ ], "collapseThreads": false, "state": null, "canCalculateUpdates": false, "position": 0, "total": 0, "threadIds": [ ], "messageIds": [ "alice@domain.tld|INBOX|1" ] }

,
"#0"
],
[
"messages",
{
"notFound": [

],
"list": [
{
"id": "alice@domain.tld|INBOX|1",
"from":

{ "name": "bob@domain.tld", "email": "bob@domain.tld" }

,
"subject": "Alice, I break up with you !",
"textBody": "In this mail username@domain.tld pretends to be user1@domain.tld, and takes advantage of it"
}
]
},
"#0"
]
]
```